diff --git a/backport-CVE-2019-20352.patch b/backport-CVE-2019-20352.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d7e89c0851f398daf2acdefd407e95a963c07bac
--- /dev/null
+++ b/backport-CVE-2019-20352.patch
@@ -0,0 +1,52 @@
+From 7c88289e222dc5ef9f53f9e86ecaab1924744b88 Mon Sep 17 00:00:00 2001
+From: Cyrill Gorcunov <gorcunov@gmail.com>
+Date: Tue, 18 Aug 2020 11:25:14 +0300
+Subject: [PATCH] BR3392711: preproc: fix memory corruption in
+ expand_one_smacro
+
+https://github.com/netwide-assembler/nasm/commit/7c88289e222dc5ef9f53f9e86ecaab1924744b88
+
+The mempcpy helper returns *last* byte pointer thus when
+we call set_text_free we have to pass a pointer to the
+start of the string.
+
+Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
+---
+ asm/preproc.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/asm/preproc.c b/asm/preproc.c
+index fec9520..1368cee 100644
+--- a/asm/preproc.c
++++ b/asm/preproc.c
+@@ -5531,7 +5531,7 @@ static SMacro *expand_one_smacro(Token ***tpp)
+         {
+             size_t mlen = strlen(m->name);
+ 	    size_t len;
+-            char *p;
++            char *p, *from;
+ 
+             t->type = mstart->type;
+             if (t->type == TOK_LOCAL_MACRO) {
+@@ -5544,15 +5544,15 @@ static SMacro *expand_one_smacro(Token ***tpp)
+                 plen = pep - psp;
+ 
+                 len = mlen + plen;
+-                p = nasm_malloc(len + 1);
++                from = p = nasm_malloc(len + 1);
+                 p = mempcpy(p, psp, plen);
+             } else {
+                 len = mlen;
+-                p = nasm_malloc(len + 1);
++                from = p = nasm_malloc(len + 1);
+             }
+             p = mempcpy(p, m->name, mlen);
+             *p = '\0';
+-	    set_text_free(t, p, len);
++	    set_text_free(t, from, len);
+ 
+             t->next = tline;
+             break;
+-- 
+2.23.0
+
diff --git a/backport-CVE-2020-24241-1.patch b/backport-CVE-2020-24241-1.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c5d4290f1ae801ff994d343f4c484376c4c5ad9f
--- /dev/null
+++ b/backport-CVE-2020-24241-1.patch
@@ -0,0 +1,76 @@
+From 6ac6ac57e3d01ea8ed4ea47706eb724b59176461 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin (Intel)" <hpa@zytor.com>
+Date: Thu, 30 Jul 2020 15:46:12 -0700
+Subject: [PATCH] parser: when flattening an eop, must preserve any data buffer
+
+https://github.com/netwide-assembler/nasm/commit/6ac6ac57e3d01ea8ed4ea47706eb724b59176461
+
+An eop may have a data buffer associated with it as part of the same
+memory allocation. Therefore, we need to move "subexpr" up instead of
+merging it into "eop".
+
+This *partially* resolves BR 3392707, but that test case still
+triggers a violation when using -gcv8.
+
+Reported-by: Suhwan <prada960808@gmail.com>
+Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
+---
+ asm/parser.c       | 16 +++++++++++-----
+ test/br3392707.asm | 21 +++++++++++++++++++++
+ 2 files changed, 32 insertions(+), 5 deletions(-)
+ create mode 100644 test/br3392707.asm
+
+diff --git a/asm/parser.c b/asm/parser.c
+index dbd2240c..584e40c9 100644
+--- a/asm/parser.c
++++ b/asm/parser.c
+@@ -458,11 +458,17 @@ static int parse_eops(extop **result, bool critical, int elem)
+                 /* Subexpression is empty */
+                 eop->type = EOT_NOTHING;
+             } else if (!subexpr->next) {
+-                /* Subexpression is a single element, flatten */
+-                eop->val   = subexpr->val;
+-                eop->type  = subexpr->type;
+-                eop->dup  *= subexpr->dup;
+-                nasm_free(subexpr);
++                /*
++                 * Subexpression is a single element, flatten.
++                 * Note that if subexpr has an allocated buffer associated
++                 * with it, freeing it would free the buffer, too, so
++                 * we need to move subexpr up, not eop down.
++                 */
++                if (!subexpr->elem)
++                    subexpr->elem = eop->elem;
++                subexpr->dup *= eop->dup;
++                nasm_free(eop);
++                eop = subexpr;
+             } else {
+                 eop->type = EOT_EXTOP;
+             }
+diff --git a/test/br3392707.asm b/test/br3392707.asm
+new file mode 100644
+index 00000000..6e84c5b4
+--- /dev/null
++++ b/test/br3392707.asm
+@@ -0,0 +1,21 @@
++	bits 32
++
++	db 33
++	db (44)
++;	db (44,55)	-- error
++	db %(44.55)
++	db %('XX','YY')
++	db ('AA')
++	db %('BB')
++	db ?
++	db 6 dup (33)
++	db 6 dup (33, 34)
++	db 6 dup (33, 34), 35
++	db 7 dup (99)
++	db 7 dup (?,?)
++	dw byte (?,44)
++
++	dw 0xcc, 4 dup byte ('PQR'), ?, 0xabcd
++
++	dd 16 dup (0xaaaa, ?, 0xbbbbbb)
++	dd 64 dup (?)
diff --git a/backport-CVE-2020-24241-2.patch b/backport-CVE-2020-24241-2.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3886794e1adcd8ed0af754dfb5db4452f622e0c7
--- /dev/null
+++ b/backport-CVE-2020-24241-2.patch
@@ -0,0 +1,55 @@
+From 78df8828a0a5d8e2d8ff3dced562bf1778ce2e6c Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin (Intel)" <hpa@zytor.com>
+Date: Thu, 30 Jul 2020 17:06:24 -0700
+Subject: [PATCH] output/codeview.c: use list_for_each_safe() to free a list
+
+https://github.com/netwide-assembler/nasm/commit/78df8828a0a5d8e2d8ff3dced562bf1778ce2e6c
+
+Using list_for_each() is by definition not safe when freeing the
+members of the list, use list_for_each_free() instead.
+
+Also, use nasm_new() and nasm_free() where appropriate.
+
+This was discovered as a downstream bug from BR 3392707.
+
+Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
+---
+ output/codeview.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/output/codeview.c b/output/codeview.c
+index be3fd27a..8276a4f3 100644
+--- a/output/codeview.c
++++ b/output/codeview.c
+@@ -305,7 +305,7 @@ static void build_type_table(struct coff_Section *const sect);
+ static void cv8_cleanup(void)
+ {
+     struct cv8_symbol *sym;
+-    struct source_file *file;
++    struct source_file *file, *ftmp;
+ 
+     struct coff_Section *symbol_sect = coff_sects[cv8_state.symbol_sect];
+     struct coff_Section *type_sect = coff_sects[cv8_state.type_sect];
+@@ -316,10 +316,10 @@ static void cv8_cleanup(void)
+     build_symbol_table(symbol_sect);
+     build_type_table(type_sect);
+ 
+-    list_for_each(file, cv8_state.source_files) {
++    list_for_each_safe(file, ftmp, cv8_state.source_files) {
+         nasm_free(file->fullname);
+         saa_free(file->lines);
+-        free(file);
++        nasm_free(file);
+     }
+     hash_free(&cv8_state.file_hash);
+ 
+@@ -398,8 +398,7 @@ static struct source_file *register_file(const char *filename)
+ 
+         fullpath = nasm_realpath(filename);
+ 
+-        file = nasm_zalloc(sizeof(*file));
+-
++        nasm_new(file);
+         file->filename = filename;
+         file->fullname = fullpath;
+         file->fullnamelen = strlen(fullpath);
diff --git a/nasm.spec b/nasm.spec
index 3011714860f1bb98d05fb90cd85aa0d373f4db17..471bce7b19732c8c7365587709421b3fda4e2cd4 100644
--- a/nasm.spec
+++ b/nasm.spec
@@ -8,12 +8,17 @@
 
 Name:     nasm
 Version:  2.15.03
-Release:  1
+Release:  2
 Summary:  The Netwide Assembler, a portable x86 assembler with Intel-like syntax
 License:  BSD
 URL:      http://www.nasm.us
 Source0:  http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version}.tar.bz2
 Source1:  http://www.nasm.us/pub/nasm/releasebuilds/%{version}/%{name}-%{version}-xdoc.tar.bz2
+
+Patch6000: backport-CVE-2019-20352.patch
+Patch6001: backport-CVE-2020-24241-1.patch
+Patch6002: backport-CVE-2020-24241-2.patch
+
 #https://bugzilla.nasm.us/attachment.cgi?id=411648
 BuildRequires: perl(Env) autoconf asciidoc xmlto gcc make git
 
@@ -82,6 +87,9 @@ make all %{?_smp_mflags}
 %{_mandir}/man1/ld*
 
 %changelog
+* Thu Jan 07 2020 shixuantong <shixuantong@huawei.com> - 2.15.03-2
+- fix CVE-2019-20352 CVE-2020-24241 
+
 * Thu Jul 23 2020 shixuantong <shixuantong@huawei.com> - 2.15.03-1
 - update to 2.15.03-1